fix(GRO-564): remove automatic staff-user email linking

Automatic linking during OOBE login is a security risk - staff records
should only be linked to auth users via explicit admin action using
PATCH /api/staff/:id/link-user.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/routes/setup.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
 import { z } from "zod/v3";
-import { and, eq, getDb, sql, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db";
+import { eq, getDb, staff, businessSettings, authProviderConfig, encryptSecret } from "@groombook/db";
 import type { AppEnv } from "../middleware/rbac.js";
 
 export const setupRouter = new Hono<AppEnv>();
@@ -97,21 +97,6 @@ setupRouter.post("/", zValidator("json", setupSchema), async (c) => {
       }
     }
 
-    if (!resolvedStaff && jwt.email) {
-      // Try auto-link by email: staff record exists with matching email but no userId
-      const [byEmail] = await tx
-        .select()
-        .from(staff)
-        .where(and(eq(staff.email, jwt.email), sql`${staff.userId} IS NULL`));
-      if (byEmail) {
-        await tx
-          .update(staff)
-          .set({ userId: jwt.sub })
-          .where(eq(staff.id, byEmail.id));
-        resolvedStaff = { ...byEmail, userId: jwt.sub };
-      }
-    }
-
     if (!resolvedStaff) {
       // Brand new user during OOBE — create staff record
       if (!jwt.email) {